Sanitised on the oidc integration

Author: MrMatAP

mrmat_python_api_flask/__init__.py

@@ -28,7 +28,7 @@
 import pkg_resources
 from logging.config import dictConfig
 
-from flask import Flask
+from flask import Flask, render_template
 from flask_sqlalchemy import SQLAlchemy
 from flask_migrate import Migrate
 from flask_marshmallow import Marshmallow
@@ -105,9 +105,10 @@ def create_app(config_override=None, instance_path=None):
     app.config.setdefault('OPENAPI_REDOC_URL', 'https://rebilly.github.io/ReDoc/releases/latest/redoc.min.js')
     app.config.setdefault('OPENAPI_RAPIDOC_PATH', 'rapidoc')
     app.config.setdefault('OPENAPI_RAPIDOC_URL', 'https://unpkg.com/rapidoc/dist/rapidoc-min.js')
-    #app.config.setdefault('OPENAPI_SWAGGER_UI_CONFIG', {
-    #    'oauth2RedirectUrl': 'http://localhost:5000/apidoc/swagger/oauth2-redirect'
-    #})
+    app.config.setdefault('OPENAPI_SWAGGER_UI_CONFIG', {
+        'oauth2RedirectUrl': 'http://localhost:5000/apidoc/swagger/oauth2-redirect'
+    })
+    app.config.setdefault('OPENAPI_SWAGGER_UI_ENABLE_OAUTH', True)
     if 'FLASK_CONFIG' in os.environ and os.path.exists(os.path.expanduser(os.environ['FLASK_CONFIG'])):
         app.config.from_json(os.path.expanduser(os.environ['FLASK_CONFIG']))
     if config_override is not None:
@@ -156,31 +157,39 @@ def create_app(config_override=None, instance_path=None):
     #
     # If OAuth2 is in use, register our usage
 
-    api.spec.components.security_scheme('mrmat_keycloak',
-                                        {'type': 'oauth2',
-                                         'description': 'This API uses OAuth 2',
-                                         'flows': {
-                                             'clientCredentials': {
-                                                 'tokenUrl': 'https://keycloak.mrmat.org/auth/realms/master/protocol/openid-connect/token',
-                                                 'scopes': {
-                                                     'mrmat-python-api-flask-resource-read': 'Allows reading objects '
-                                                                                             'in the Resource API',
-                                                     'mrmat-python-api-flask-resource-write': 'Allows creating/modifying'
-                                                                                              ' and deleting objects '
-                                                                                              'in the Resource API'
-                                                 }
-                                             },
-                                             'authorizationCode': {
-                                                 'authorizationUrl': 'https://keycloak.mrmat.org/auth/realms/master/protocol/openid-connect/auth',
-                                                 'tokenUrl': 'https://keycloak.mrmat.org/auth/realms/master/protocol/openid-connect/token',
-                                                 'scopes': {
-                                                     'mrmat-python-api-flask-resource-read': 'Allows reading objects '
-                                                                                             'in the Resource API',
-                                                     'mrmat-python-api-flask-resource-write': 'Allows creating/modifying'
-                                                                                              ' and deleting objects '
-                                                                                              'in the Resource API'
-                                                 }
-                                             }
-                                         }})
+    api.spec.components.security_scheme('mrmat_keycloak', {
+        'type': 'oauth2',
+        'flows': {
+            'authorizationCode': {
+                'authorizationUrl': 'https://keycloak.mrmat.org/auth/realms/master/protocol/openid-connect/auth',
+                'tokenUrl': 'https://keycloak.mrmat.org/auth/realms/master/protocol/openid-connect/token',
+                'scopes': {
+                    'openid': 'Basic token without extra authorisation',
+                    'mrmat-python-api-flask-resource-read': 'Allows reading objects '
+                                                            'in the Resource API',
+                    'mrmat-python-api-flask-resource-write': 'Allows creating/modifying'
+                                                             ' and deleting objects '
+                                                             'in the Resource API'
+                }
+            }
+        }})
+    # api.spec.components.security_scheme('mrmat_keycloak', {
+    #     'type': 'openIdConnect',
+    #     'openIdConnectUrl': 'https://keycloak.mrmat.org/auth/realms/master/.well-known/openid-configuration'
+    # })
+    # api.spec.security('mrmat_keycloak', [
+    #     'profile',
+    #     'mrmat-python-api-flask-resource-write',
+    #     'mrmat-python-api-flask-resource-read'
+    # ])
+
+    @app.route('/apidoc/swagger/oauth2-redirect')
+    def oauth2_redirect():
+        return render_template('swagger-ui-redirect.html')
+        # state = request.args.get('state')
+        # code = request.args.get('code')
+        # session_state = request.args.get('session_state')
+        # return {'state': state, 'code': code, 'session_state': session_state}, 200
+
 
     return app

mrmat_python_api_flask/apis/greeting/v3/api.py

@@ -38,6 +38,7 @@
 class GreetingV3(MethodView):
 
     @oidc.accept_token(require_token=True)
+    @bp.doc(security=[{'mrmat_keycloak': ['profile']}])
     @bp.response(200, GreetingV3Output)
     def get(self):
         """Get a greeting for your asserted name from a JWT token

mrmat_python_api_flask/templates/swagger-ui-redirect.html

@@ -0,0 +1,68 @@
+<!doctype html>
+<!-- Taken from a PR to flask-smorest at https://github.com/marshmallow-code/flask-smorest/pull/89 -->
+<html lang="en-US">
+<body onload="run()">
+</body>
+</html>
+<script>
+    'use strict';
+    function run () {
+        var oauth2 = window.opener.swaggerUIRedirectOauth2;
+        var sentState = oauth2.state;
+        var redirectUrl = oauth2.redirectUrl;
+        var isValid, qp, arr;
+
+        if (/code|token|error/.test(window.location.hash)) {
+            qp = window.location.hash.substring(1);
+        } else {
+            qp = location.search.substring(1);
+        }
+
+        arr = qp.split("&")
+        arr.forEach(function (v,i,_arr) { _arr[i] = '"' + v.replace('=', '":"') + '"';})
+        qp = qp ? JSON.parse('{' + arr.join() + '}',
+            function (key, value) {
+                return key === "" ? value : decodeURIComponent(value)
+            }
+        ) : {}
+
+        isValid = qp.state === sentState
+
+        if ((
+            oauth2.auth.schema.get("flow") === "accessCode"||
+            oauth2.auth.schema.get("flow") === "authorizationCode"
+        ) && !oauth2.auth.code) {
+            if (!isValid) {
+                oauth2.errCb({
+                    authId: oauth2.auth.name,
+                    source: "auth",
+                    level: "warning",
+                    message: "Authorization may be unsafe, passed state was changed in server Passed state wasn't returned from auth server"
+                });
+            }
+
+            if (qp.code) {
+                delete oauth2.state;
+                oauth2.auth.code = qp.code;
+                oauth2.callback({auth: oauth2.auth, redirectUrl: redirectUrl});
+            } else {
+                let oauthErrorMsg
+                if (qp.error) {
+                    oauthErrorMsg = "["+qp.error+"]: " +
+                        (qp.error_description ? qp.error_description+ ". " : "no accessCode received from the server. ") +
+                        (qp.error_uri ? "More info: "+qp.error_uri : "");
+                }
+
+                oauth2.errCb({
+                    authId: oauth2.auth.name,
+                    source: "auth",
+                    level: "error",
+                    message: oauthErrorMsg || "[Authorization failed]: no accessCode received from the server"
+                });
+            }
+        } else {
+            oauth2.callback({auth: oauth2.auth, token: qp, isValid: isValid, redirectUrl: redirectUrl});
+        }
+        window.close();
+    }
+</script>